Shawn Bakhtiar wrote:
I still say having firewalls from higher security zones to lower
ones, does not make sense. Security is only valid when it is
INBOUND. Outbound security is no security at all, just a pain for
your users.
I used to think like that, but now I'd respectfully disagree.
It's not an answer in it's own right, but used intelligently it
provides another layer of protection. OK, if your server gets
compromised then it doesn't protect the server, but it does restrict
the damage it can do.
For example, if you don't require to access external FTP servers,
then don't allow outbound FTP connections. Should your server get
compromised and the **** use it to try and brute-force attack other
FTP servers, instead of using up your bandwidth and causing a
headache for the targets, the connections fail. On the other hand, if
the basic software installed by the hack is unable to contact it's
command centre for instructions (or to install additional software),
then it's going to be useless to the attacker.
In a similar vein, I ALWAYS configure my routers etc to only allow
outbound SMTP connections that are actually required. In the general
case, end user machines should not be sending mail other than through
specific servers - and if they are trying to send mail elsewhere then
most likely it's spam from an infected machine. If a user has a
genuine reason for sending mail, then the Submission port (which I do
allow) is the way to do it. Again, it's not protecting your systems
which are already compromised, but it's limiting the damage that then
follows - damage in bandwidth costs, and reputational damage from
getting blacklisted.
Just two examples that came to mind for no particular reason - and if
you believe that you'll believe anything !
Yes it needs more work to set up, and figure out what connections you
require - but IMO it's worth it in many cases. As you say, there are
cases where it's not appropriate, and you need to judge each case on
it's merits in an intelligent way. Strike a reasonable balance
between protection, being a good netizen, and allowing users to do
their jobs.
Having said all that, in this case, I'm inclined to agree that the
requested functionality isn't really a generally useful think to be
doing.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml